A newly discovered Android lockscreen bypass vulnerability allows Google Gemini to send SMS messages without completing PIN verification under specific conditions.
The flaw reportedly occurs when a user triggers Gemini from the lock screen and simultaneously taps the "Add attachment" and "Continue" buttons after being prompted for authentication. The exploit can also reportedly restore Gemini's access to apps like WhatsApp, even if those permissions were previously disabled.
The vulnerability has reportedly been known to Google since May 2026, and a security fix is already in development. Early reports suggest the issue affects Android 16 devices and is not limited to Google Pixel phones, although Google has not confirmed the full list of impacted devices.
Security experts note that the exploit requires physical access to the device, making the overall risk lower than a remote attack. Users are advised to install upcoming Android security updates as soon as they become available.